Crikey! Open source Android might be just a wee bit too open with your data

Researchers at Germany's University of Ulm have discovered a vulnerabliity in Android's authentication protocol, known as ClientLogin which should protect your login credentials to apps like your contact list and your calendar. It seems that while your request is encrypted, the response which includes your credentials is sent back in plain text, and those credentials remain valid for 2 weeks. The new versions of Android have fixed this flaw but according to the story at The Register connections to Picassa still return in plain text.

"The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned."